CLOUDSTACK-337 - first iteration of an agent SELinux policy
Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/f0a77d67 Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/f0a77d67 Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/f0a77d67 Branch: refs/heads/marvin-refactor Commit: f0a77d67cc0776a33e3bd12e4f69a4f15c4b3c36 Parents: b130e8b Author: David Nalley <da...@gnsa.us> Authored: Sat Mar 16 13:26:24 2013 -0400 Committer: David Nalley <da...@gnsa.us> Committed: Sat Mar 16 13:26:24 2013 -0400 ---------------------------------------------------------------------- packaging/centos63/cloudstack-agent.te | 33 +++++++++++++++++++++++++++ 1 files changed, 33 insertions(+), 0 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/f0a77d67/packaging/centos63/cloudstack-agent.te ---------------------------------------------------------------------- diff --git a/packaging/centos63/cloudstack-agent.te b/packaging/centos63/cloudstack-agent.te new file mode 100644 index 0000000..4259e17 --- /dev/null +++ b/packaging/centos63/cloudstack-agent.te @@ -0,0 +1,33 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +module cloudstack-agent 1.0; + +require { + type nfs_t; + type system_conf_t; + type mount_t; + type qemu_t; + class file unlink; + class filesystem getattr; +} + +#============= mount_t ============== +allow mount_t system_conf_t:file unlink; + +#============= qemu_t ============== +allow qemu_t nfs_t:filesystem getattr;
